How to write a GDPR data privacy notice in 2020

How to write a GDPR data privacy notice in 2020

The  GDPR (General Data Protection Regulation gives individuals more control over how their personal data is used.

If your organisation processes personal data, the Regulation requires you to provide data subjects with certain information. This typically takes the form of a data privacy statement or privacy notice.

But what is a data privacy notice, and what should it contain? This post explains everything you need to know.

What is a privacy notice?

 

A GDPR privacy notice is an important way to help your customers make informed decisions about the data you collect and use. We’ve brought together some information from the law itself and from the EU’s guidance documents to help you understand the components of a good privacy notice. And at the bottom, we’ve included a privacy notice template that you can adapt to your own organization.

A privacy notice is a document that organisations give to individuals to explain how their personal data is processed.There are two reasons for doing this. First, it ensures that you’re as transparent as possible with data subjects. This prevents any confusion about the way personal data is being used and ensures a level of trust between the organisation and the individual.

Second, it gives individuals more control over the way their data is collected and used. If there’s something the data subject isn’t happy with, they can query it via a DSAR and potentially ask the organisation to suspend that processing activity.

Let us watch the different steps of writing a GDPR Data Privacy Notice through this video:

How to write a privacy notice?

 

1) Contact details

The first thing to include in your privacy notice is the name, address, email address and telephone number of your organisation.

If you’ve appointed a  DPO(data protection office) or  EU representative, you should also include their contact details.

 

2) The types of personal data you process

The definition of personal data is a lot broader than you might think.

Ensure you include everything that you’re collecting and do so as specifically as possible.

For example, instead of just saying ‘financial information’, state whether it’s account numbers, credit card numbers, etc.

You should also outline where you obtained the information if it wasn’t provided by the data subject directly.

3) Lawful basis for processing personal data

Under the GDPR, organisations can only process personal data if there is awful basic for doing so . Your privacy policy should specify which one you’re relying on for each processing purpose.

Additionally, if you are relying on legitimate interests, you must describe them. If you’re relying on consent, you should state that it can be withdrawn at any time.

4) How you process personal data?

You must explain whether you will be sharing the personal data you collect with any third parties.

We suggest also specifying how you will protect shared data, particularly when the third party is based outside the EU.

5) How long you’ll be keeping their data?

The GDPR states that you can only retain personal data for as long as the legal basis for processing is applicable. In most cases, that will be easy to determine. For example, data processed to fulfill contracts should be stored for as long as the organisation performs the task to which the contract applies.

Likewise, organisations that process data on the grounds of a legal obligation public task or vital interest should hold on to the data while those processing activities are relevant.

Things are trickier with consent and legitimate interests, as there is no clear point at which they’re no longer valid.

As such, we recommend reviewing any processing that involves these lawful bases at least every two years.

6) Data subject rights

 

The GDPR gives individuals eight data subject right which you should list and explain in your privacy notice:

• Right of access: individuals have the right to request a copy of the information that an organisation holds on them.

 

• Right to object: individuals have the right to challenge certain types of processing, such as direct marketing.

 

• Right of portability: individuals can request that organisation transfer any data that it holds on them to another company.

 

• Right of rectification: individuals have the right to correct data that is inaccurate or incomplete.

 

• Right to be forgotten: in certain circumstances, individuals can ask organisations to erase any personal data that’s stored on them.

 

• Right to restrict processing: individuals can request that an organisation limits the way it uses personal data.

 

• Right to be informed: organisations must tell individuals what data of theirs is being collected, how it’s being used, how long it will be kept, and whether it will be shared with any third parties.

 

• Rights related to automated decision making including profiling: individuals can ask organisations to provide a copy of its automated processing activities if they believe the data is being processed unlawfully. You should also remind individuals that they are free to exercise their rights and explain how they can do this.

 

Is privacy notice the same as a privacy policy?

A privacy notice is a publicly accessible document produced for data subjects. By contrast, a privacy policy is an internal document that explains the organisation’s obligations and practices for meeting the GDPR’s requirements.

Although they cover many of the same topics, privacy notices aren’t to be confused with privacy policies.

 

 

Why you need a privacy notice?

Privacy policies can also help you win business, as they prove that you take information security seriously.

Privacy notices are a legal requirement under the GDPR and ensure that individuals are aware of the way their personal data is processed. However, they can also benefit organisations in several ways.

For one, privacy policies provide documented proof of your data processing activities. This helps you justify your processing if someone lodges a complaint with their supervisory authority.

Privacy policies can also help you win business, as they prove that you take information security seriously.

Writing your privacy notice

In general, privacy policies should be written in the active voice and avoid unnecessary legalese and technical terminology.

This is particularly important when you are processing children’s personal data, as there are many concepts that you’ll have to explain in more detail.

Your privacy policy must be written in clear and simple language that data subjects can easily understand.

Likewise, you should avoid qualifiers such as ‘may’, ‘might’, ‘some’ and ‘often’, as they are purposefully vague. Saying you ‘may’ do something doesn’t help the data subject work out under what circumstances it will happen.

Finally, the policy should be free of charge and easily accessible; don’t hide it in a link at the bottom of a form where few people are likely to see it.

You should instead provide the policy to them in writing or link to it when asking for their personal data.

When should you provide a GDPR privacy notice?

The GDPR explains that data controllers must provide a privacy notice whenever they obtain data subjects’ personal information. The easiest way to provide a privacy notice is to post it on your website and link to it whenever appropriate.

If you don’t have a website, you should make a physical copy of your privacy policy available.

The only times this isn’t necessary are when:

• The data subject already has the information provided in the privacy notice;
• It would be impossible or involve a disproportionate effort to provide such information;
• The organisation is legally obliged to obtain the information; or
• The personal data must remain confidential, subject to an obligation of professional secrecy.

When an organisation obtains personal information from a third party, it must provide a privacy notice within a month. This should be done the first time the organisation communicates with the data subject or when the personal data is first shared with another recipient.

 

 

Top Data Breaches in February, March & April 2020

Top Data Breaches in Review: February, March & April 2020

 

Many companies now face data breaches in recent times.Different sectors like IT sector,Healthcare sectors,Public sectors reported data breaches in recent times.

Storing and using sensitive user data by companies are also common things.This data storing companies are the most favorite target for the hackers.This companies are now facing more cyber attacks.This major cyber attack also leads to data breach.Where millions of user data are leaked online.This makes user privacy at risk.Sometimes user data is sold in dark web or just leaked online.

 

 

Many companies face cyber attacks because they don’t maintain their cyber security.Many companies don’t have Cyber Security professionals who can manage the IT security.Small companies are also the favorite target of the hackers because they don’t maintain their cyber security.They don’t have any cyber security infrastructure.So they are easy to hack.

In this article we will show the recent data breach in February,March and April month.

 

 

 

Data Breach In February:

Number of data records compromised in february is 632,595,960.I this month many companies data get hacked.The hackers shared their data in web.Some of the biggest data breach are

Estee Lauder (400 million),Tetrad (120 million),Pabbly (51.2 million ),MGM Resorts (10.6 million),Lukid Party (6.54 million).In this month companies faced almost 25 Ransomware attacks,data leaked for Internal Error of 18, and companies faced 24 cyber attacks.The most breached sector is Healthcare which has  22 data breaches.Education sector which has  22 data breaches and public Sector which have 19 data breaches.

Data Breach In March:

Number of data records breach in March is almost 105.The number of data records compromised is 832,486,418. In this month many companies data get hacked.The hackers shared their data in web.Some of the biggest data breach are Weibo (538 million),Unknown database of US homeowners(201 million),Antheus Technologies (81.5 million),Dutch Government (6.9 million),Prop Tiger (2.1 million).The most sectors are The most breached sectors Healthcare which have 16 breaches,Education which have 11 breaches,Public sector which have 9 breaches.This month companies faces 10 Ransomware attack,6 internal error and 5 other cyber attacks.

Data Breach In April:

Number of data records breach in March is almost 49.The number of data records compromised is 216,141,421. In this month many companies’ data got hacked.The hackers shared their data on the web.Some of the biggest data breaches are Zoom (500,000),Email.it (600,000),Quidd (4 million ),Maropost (95 million).The most breached sectors Healthcare which have 11 breaches,Professional service which have 11 breaches,Public sector which have 9 breaches.This month companies face 12 Ransomware attacks,9 internal errors and 19 other cyber attacks.

 

Why Cybersecurity is important during the COVID 19 pandemic

Why Cybersecurity is important during the COVID 19 pandemic:

 

In this lockdown, many people are working and learning from home. The world is moving online at an unprecedented rate and the cyber attacks also increased for this reason.

Cybercriminals take advantage of this situation and now they try different methods. Phishing and scamming increased in recent times. Many online platforms also face cyber attacks. Hackers now try to hack online apps that are used in online meetings. Many companies now work from home and so there’s a shortage of security. Hackers now take advantage of these situations.

So at this time, cybersecurity is very important. Many companies now work online and it also increases the threat of cyber attacks.

Cybersecurity is very important right now. So companies should be aware of this type of attack.

 

 

 

 

 

Spam Mail : 

At this time many employees are getting too much spam mail. There are so many email providers who have a spam filter. That can easily find the spam mail. But some companies use their own mail server.

So companies should check their mail server security. It will help them to protect their mail server from any type of cyber attack.

 

 

 

 

Phishing Attack :

In recent times phishing attacks have increased so much. Many people get phishing links by email. These phishing links sometimes look genuine and people clicked on the links. This phishing links redirect to websites that have malware or hacker tricks, people, to give sensitive data.

Employees need to check any type of link that’s not come from a trusted source. This type of phishing link can trick people easily.

 

 

 

 

Social Engineering :

This is the most common attack hackers use to steal sensitive data. Hackers use different types of social engineering methods to trick people.

Because many people are under pressure and work remotely, this type of trick can harm companies’ data. So companies should aware of their employees to check before sharing any sensitive data.

 

Unencrypted Connection : 

Any unencrypted connections can steal sensitive data. Companies need to ensure that when employees access their data remotely, their connection is secure and encrypted.

If their connection is not secure hackers can use MITM attack to steal sensitive data. So companies should use an encrypted connection.

 

Accessing Third-Party Apps :

Many companies work remotely right now. So many companies are doing their meeting and conference online. Many companies have their own infrastructure but many companies use third-party Apps.

So hackers now try to exploit these apps to hack into the system. When companies use third-party Apps they must ensure security. If any apps they find vulnerable they must use the latest version of the App or find an alternative of this App.

These are some security measures you can check to ensure the cybersecurity company. You can also use VAPT service, which can find a vulnerability in your Network, Web App, or Android apps.

This type of vulnerability testing is done by industry experts. They can help you to find the vulnerability in your IT infrastructure. So you can easily fix that problem to secure your company from any type of cyber attack.

 

Zoom Video Conferencing App is vulnerable to Cyber Attacks

Zoom Video Conferencing App is vulnerable to Cyber Attacks

The famous Zoom meeting App is vulnerable to cyber attacks now. Installing it on your system or using it, makes Your system vulnerable. In recent times the uses of video conferencing apps have increased due to work from home. Many companies and institutes use video conferencing apps to interact with people.

Zoom video conferencing app is one of the best-performing video conferencing app. Many people use this App for video conferencing. This spotlight also reveals the security and privacy issues of the Zoom App. The main security concern occurs when researchers know that many Zoom accounts have already been hacked. Many recorded meeting videos uploaded on Youtube and Vimeo website. Some of this video has personally identifiable information as well as an intimate conversation.

Zoom offers an option to hosts if they want to record and save the meeting and it is not recorded by default. The issue was notified to Zoom by the publishing house and the company is looking into the matter. The privacy issue occurs due to its encryption method and an option that adds people to a user’s list of contacts if they sign up “with an email address that shares the same domain.”

These two reasons are responsible for the privacy leak of the Zoom App.

 

 

Zoom App Encryption Technique :

 

Zoom meetings are not end-to-end encrypted as mentioned on their website. The app uses regular TLS encryption, the same encryption web browsers use to secure HTTPS websites.

The end-to-end encryption means no one can read the content shared by two people using any App. But the recent privacy leak of Zoom App questioned their App security.Zoom’s spokesperson told The Intercept, “It is not possible to enable E2E encryption for Zoom video meetings.”. Zoom also denied misleading users, claiming that E2E, for them, is “in reference to the connection being encrypted from Zoom endpoint to Zoom endpoint.”In a report by The Intercept Zoom has been found issuing encryption keys by servers located in China even when all the meeting participants are from America.

Researchers from University Of Toronto also found that the servers that issuing encryption to users are located in China.The researcher runs a test to track how the Zoom generate the encryption key.They found that the shared meeting encryption key during a meeting was sent to one of the participants over TLS from a Zoom server apparently located in Beijing.

This raises the security concern as Zoom will be liable to share the keys with the Chinese government if required, as per the laws.

 

The leakage of user data to strangers:

Zoom also leaked many email addresses and photos of its users.For this reason Zoom users could get video calls from strangers.This happens due to an option offered by Zoom that is known as Company directory.The option adds people to a user’s list of contacts if they sign up with an email address that shares the same domain.

The feature was introduced to help colleagues to find people from the same company.But in a recent report,researchers find that people who signed up using  their private email id are also shared by Zoom App.There is one more security issue the security researcher has found.The shaddy installation of Zoom App.

Felix, a malware tracker at VMRay, discovered that the Zoom macOS installer evades Apple security mechanisms to get root privileges.The Zoom installer uses preinstallation script and misleading prompt to get root privilege.The App also makes Windows vulnerable.A security report shows that a flaw in Windows clients can lead hackers to steal windows credential of users.

So it is advised to not use Zoom App.Security researchers already reported this loophole and security companies.They also told users to uninstall the App because of the privacy concern.You can check the other alternatives of the Zoom App.

 

COVID-19 Impact | Job losses and Unemployment in IT sectors

COVID-19 Impact | Job losses and Unemployment in IT sectors

 

 

If you are not worried about your immediate survival in the current national lockdown, then your next worry is how does this impact your employer and your future. Like most professionals, your job is and will remain your primary source of income for the most part of your life and this unprecedented crisis appears to be a major threat in the short to medium term. Let us go through some important knowledge of this outbreak and the impact on the IT sectors. Let’s meet Shreeram M*, a techie working for a small IT firm in Pune, was forced to resign along with six others, in March. A fortnight later, in another ITeS-BPO firm — Fareportal — more than 300 employees were laid off. This may just be the beginning as HR experts and industry players see around 1.5 lakh employees in India’s IT industry losing their jobs over the next three-to-six months. As per the news, we can see Spain has shed jobs at a record pace since it went into lockdown to fight the coronavirus, social security data showed on Thursday, laying bare the scale of the epidemic’s impact in the euro zone’s fourth-largest economy.  As per the news, Some 900,000 workers have lost their job since mid-March, with those on short-term contracts in tourism or construction among the hardest hit. At least another 620,000 have seen their contracts suspended with temporary layoffs and tens of thousands are on sick leave.   Jobless numbers for March, also published on Thursday, showed Spain registered its highest monthly increase ever, with a 9.3% jump from the previous month bringing the total number of unemployed people to around 3.5 million.

Immediate actions

As the lockdown proceeds, you will increasingly feel disconnected and irrelevant, blunting your professional edge and reducing your employability. Thus, your most urgent requirement is to stay busy and connected with work. Establish and follow a proactive routine to manage time optimally and get the results you seek. Work diligently and don’t miss the daily team call routine. Volunteer for additional tasks and deliver within deadlines. Next, check out online training programs offered or assigned by your firm and set aside an hour daily to complete them. You will learn new stuff and keep your brain engaged and sharp. Now, formulate and lead online training sessions on different Skill sets for your junior team members. Finally, create and execute weekly projects from team goals that were put on the backburner earlier.

 

How to enhance your skills?

Learn Cloud Computing:

Cloud Computing refers to the computing services including servers, storage, databases, networking, software, analytics, intelligence and others over the Internet (“the cloud”). What does it do? It offers faster innovation, flexible resources, and economies of scale. Cloud Computing has the flexibility of offering a “pay per use” feature that enables business houses to pay only for services you use, helping lower your operating costs, run your infrastructure more efficiently and scale as your business needs change.

Learn Python Programming Language:

According to the latest TIOBE Programming Community Index, Python is one of the top 10 popular programming languages of 2020. Python is a general-purpose and high-level programming language. You can use Python for developing desktop GUI applications, websites, and web applications. Also, Python, as a high-level programming language, allows you to focus on the core functionality of the application by taking care of common programming tasks. The simple syntax rules of the programming language further make it easier for you to keep the code base readable and application maintainable.

 

Learn Networking:

Experts agree that the most connected people are often the most successful. When you invest in your relationships — professional and personal — it can pay you back in dividends throughout the course of your career. Networking will help you develop and improve your skill set, stay on top of the latest trends in your industry, keep a pulse on the job market, meet prospective mentors, partners, and clients, and gain access to the necessary resources that will foster your career development.

Learn Cyber Security :

 

Cybersecurity is important because it encompasses everything that pertains to protecting our personal information, intellectual property, data, and governmental and industry information systems from theft and damage attempted by criminals and adversaries.

 

Because of the massive increase in hacks and hacking attempts, cybersecurity has become an unavoidable topic of discussion in the past several years. Events that occur in the cybersecurity industry can and often do have global consequences and the possibility of catastrophic results.

 

Learn Machine Learning:

The machine learning field is continuously evolving. And along with evolution comes a rise in demand and importance. There is one crucial reason why data scientists need machine learning, and that is: ‘High-value predictions that can guide better decisions and smart actions in real-time without human intervention.’

Machine learning as technology helps analyze large chunks of data, easing the tasks of data scientists in an automated process and is gaining a lot of prominence and recognition. Machine learning has changed the way data extraction and interpretation works by involving automatic sets of generic methods that have replaced traditional statistical techniques.

 

Conclusion:

There are some of the most highly demanding skills in the IT industry. Getting new skills will help to get more opportunities in your career. It will also help to survive in a crisis situation, where people lose their jobs and unemployment in the IT sectors. Now coming to an end suggesting to utilize this lockdown period and enhance your skill by these online live classes.

 

Cyber Security, Machine Learning, Networking, Cloud Computing, and Python programming are the most demanding skills, employers are looking for. Because in today’s world Cyber Security is a big concern. Machine learning also helps companies to enhance their product and services. Python is the most popular language because of its easy implementation with any technology. In this connected world network engineers play a very important role. Companies hire Network engineers to main their network infrastructure. Many companies now shifted their Web apps and services to the cloud because of its high features.

So learning any of this skill will help to enhance your current skills and also help you get more opportunities in your career.